CVE-2025-32461 | THREATINT

Description

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

PUBLISHED Reserved 2025-04-09 | Published 2025-04-09 | Updated 2025-11-03 | Assigner mitre

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status

unaffected

Any version before 21.12

affected

22 (custom) before 24.8

affected

25 (custom) before 27.2

affected

28 (custom) before 28.3

affected

References

seclists.org/fulldisclosure/2025/Jul/11

tiki.org/article517

tiki.org/article518

gitlab.com/...ommit/be8dc1aa220fbceb07a7a5dc36416243afccd358

gitlab.com/...ommit/801ed912390c2aa6caf12b7b953e200f5d4bc0b1

gitlab.com/...ommit/406bea4f6c379a23903ecfd55e538d90fd669ab0

gitlab.com/...ommit/9ffb4ab21bd86837370666ecd6afd868f3d7877a

gitlab.com/...ommit/f3f36c1ac702479209acfcaec5789d2fd1f996bc

cve.org (CVE-2025-32461)

nvd.nist.gov (CVE-2025-32461)

Download JSON